Connect with us
Finance Digest is a leading online platform for finance and business news, providing insights on banking, finance, technology, investing,trading, insurance, fintech, and more. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website.


Author: Steve Durbin, Managing Director, Information Security Forum (ISF)

 It is no secret that the impending EU General Data Protection Regulation (GDPR) will impact every entity that holds or uses European personal data, both inside and outside of Europe. It starts from a position that says ‘citizens’ rights are paramount.’ But what does this mean for financial organisations?

Everyone from business people to consumers will have a GDPR footprint. Knowing what these footprints look like is the first step to becoming aware of what the regulation means and the data that it affects.

Finding the Footprints in the Data

GDPR affords new rights to EU residents over their personal information, regardless of where it is processed. This includes the right to be forgotten, how data can be used and, importantly, that it should be protected against unauthorised disclosure. It mandates that personal data must not be transferred to jurisdictions that do not have equivalent data protection laws, unless suitable legal safeguards are in place. This includes treaties, such as the EU-US ‘Privacy Shield’ and contractual protections to bind the recipient to the laws of the source country; for example, ‘model clauses,’ ‘binding corporate rules,’ or obtaining unequivocal consent to transfer from the individual.

Article 4 of the regulation defines personal data as ‘any information relating to an identified or identifiable natural person … such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical physiological, genetic, mental, economic, cultural or social identity of that natural person.’

It can include information obtained directly from someone, from other sources, and even inferred through processing or aggregation with other information.

Even if an individual’s name is removed, the data may still be personal in nature depending on additional information the organisation holds. For example, were the organisation to store a database anonymised with account numbers but also hold a separate record of customer contact details that includes the account number, then both would be deemed personal under this regulation.

What must be remembered is that it does not just cover customer information, but also employee details; and not just electronic records- paper records stored in a filing system or archive are subject to the new rules as well.

Following the Footprints

As explained above, GDPR is wide-reaching legislation that will touch on various data repositories within financial organisations that have potentially been gathered over many years. This will be further complicated by the evolving working practices. For instance, employees may have been utilising online data repositories to exchange data with colleagues, or even between their own devices.

Organisations will need to follow these data trails to identify where information is stored and ensure it is adequately protected.

Looking internally is just one element.Arguably, any and every business is sharing information in some way, shape or form. Organisations will need to ensure that these third-parties are also working to apply the correct level of security to comply themselves.

One point that the European Commission has made is that this legislation is not just about fining organisations for suffering a data breach, but instead to encourage them to make the right moves towards compliance. This means organisations need to be able to demonstrate that they have taken reasonable steps to implement processes that allow them to identify personal information.  Moreover, they must show they have placed reasonable protection around personal information, including any shared with third-parties, prove that they can remove data in a reasonable timeframe if requested and be able to report a breach within 72 hours.

Protecting the Footprints

Data protection is the combination of processes and technologies that ensure personal data is processed in accordance with an individual’s wishes and the requirements of the law. Here are five steps to help financial organisations assess and manage these requirements:

Determine applicability: examine personal data processing activities to determine if GDPR applies and, if so, identify the data, functions or business units who may process it. Should the organisation share personal data with a third-party, it is still responsible for ensuring adequate protection is in place. Third party (processor) assurances should be requested ahead of next May’s regulation introduction.

Evaluate controls: implement specific, defined controls over personal data if the number of records exceeds a certain size, a certain level of sensitivity, or when processing of personal data is the main activity of the organisation.

Assess capabilities: GDPR stipulates a number of ‘outcomes’ and organisations need to make sure that they have the capabilities to achieve these requirements or, if needed, seek additional external support. For example source legal guidance, employ an independent audit to check controls, seek advice and/or assistance from management consultants, etc. There is also a wealth of information, such as ISF’s ‘Preparing for the GDPR: Implementation Guidefor organisations to find practical advice and guidance.

Understand consequences: Failure to uphold information rights can carry a fine of up to 4% of the organisation’s group turnover or €20m, whichever is the greater. In addition,failure to implement the specified controls can carry a fine of up to 2% of the organisation’s group turnover or€10m, even if information rights have been upheld. Companies cannot underestimate the potential impact of an enforcement, which is just as significant – particularly if it requires an organisation to suspend business activities whilst it remedies data protection problems. Not to mention the associated adverse publicity arising from a data protection incident. An organisation should ensure that these new consequences are reflected in risk assessments and mitigated by training,procedural, technical and legal controls.

 Prepare for compliance: The GDPR will be enforced from 25 May 2018 and an organisation should understand which aspects of its preparations will – or will not – be in place by that time so that they can plan their implementations and mitigate residual risks if they are not ready. 

To become compliant with GDPR could require an immense amount of effort, but the bolstered security could prevent a brand-destroying data breach. If the worst were to happen, the organisation would be able to demonstrate that it had acted responsibly and implemented reasonable protection, including evidence such as audit trails and vulnerability assessments, risk assessments, which demonstrate that the organisation and its senior management are taking their responsibility to protect sensitive information seriously. While it may not prevent a fine being levied, it should limit the amount imposed.

Rather than seen as an inhibitor, good data protection practices actively protect both brand and reputation and can ultimately improve data quality. It is an opportunity to enable strategic change that can help the business grow – just don’t leave it until May 2018 to identify the data footprints in your organisation.

ISF has published ‘Preparing for the GDPR: Implementation Guide’ to provide organisations with the structured method needed to achieve sufficient levels of compliance.

Continue Reading

Recent Posts